Absolute File Name: | /home/opencoverage/opencoverage/guest-scripts/libressl/src/ssl/s3_cbc.c |
Source code | Switch to Preprocessed file |
Line | Source | Count | ||||||
---|---|---|---|---|---|---|---|---|
1 | /* $OpenBSD: s3_cbc.c,v 1.17 2018/09/08 14:39:41 jsing Exp $ */ | - | ||||||
2 | /* ==================================================================== | - | ||||||
3 | * Copyright (c) 2012 The OpenSSL Project. All rights reserved. | - | ||||||
4 | * | - | ||||||
5 | * Redistribution and use in source and binary forms, with or without | - | ||||||
6 | * modification, are permitted provided that the following conditions | - | ||||||
7 | * are met: | - | ||||||
8 | * | - | ||||||
9 | * 1. Redistributions of source code must retain the above copyright | - | ||||||
10 | * notice, this list of conditions and the following disclaimer. | - | ||||||
11 | * | - | ||||||
12 | * 2. Redistributions in binary form must reproduce the above copyright | - | ||||||
13 | * notice, this list of conditions and the following disclaimer in | - | ||||||
14 | * the documentation and/or other materials provided with the | - | ||||||
15 | * distribution. | - | ||||||
16 | * | - | ||||||
17 | * 3. All advertising materials mentioning features or use of this | - | ||||||
18 | * software must display the following acknowledgment: | - | ||||||
19 | * "This product includes software developed by the OpenSSL Project | - | ||||||
20 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | - | ||||||
21 | * | - | ||||||
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | - | ||||||
23 | * endorse or promote products derived from this software without | - | ||||||
24 | * prior written permission. For written permission, please contact | - | ||||||
25 | * openssl-core@openssl.org. | - | ||||||
26 | * | - | ||||||
27 | * 5. Products derived from this software may not be called "OpenSSL" | - | ||||||
28 | * nor may "OpenSSL" appear in their names without prior written | - | ||||||
29 | * permission of the OpenSSL Project. | - | ||||||
30 | * | - | ||||||
31 | * 6. Redistributions of any form whatsoever must retain the following | - | ||||||
32 | * acknowledgment: | - | ||||||
33 | * "This product includes software developed by the OpenSSL Project | - | ||||||
34 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | - | ||||||
35 | * | - | ||||||
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | - | ||||||
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | - | ||||||
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | - | ||||||
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | - | ||||||
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | - | ||||||
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | - | ||||||
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | - | ||||||
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | - | ||||||
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | - | ||||||
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | - | ||||||
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | - | ||||||
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | - | ||||||
48 | * ==================================================================== | - | ||||||
49 | * | - | ||||||
50 | * This product includes cryptographic software written by Eric Young | - | ||||||
51 | * (eay@cryptsoft.com). This product includes software written by Tim | - | ||||||
52 | * Hudson (tjh@cryptsoft.com). | - | ||||||
53 | * | - | ||||||
54 | */ | - | ||||||
55 | - | |||||||
56 | #include "ssl_locl.h" | - | ||||||
57 | - | |||||||
58 | #include <openssl/md5.h> | - | ||||||
59 | #include <openssl/sha.h> | - | ||||||
60 | - | |||||||
61 | /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length | - | ||||||
62 | * field. (SHA-384/512 have 128-bit length.) */ | - | ||||||
63 | #define MAX_HASH_BIT_COUNT_BYTES 16 | - | ||||||
64 | - | |||||||
65 | /* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. | - | ||||||
66 | * Currently SHA-384/512 has a 128-byte block size and that's the largest | - | ||||||
67 | * supported by TLS.) */ | - | ||||||
68 | #define MAX_HASH_BLOCK_SIZE 128 | - | ||||||
69 | - | |||||||
70 | /* Some utility functions are needed: | - | ||||||
71 | * | - | ||||||
72 | * These macros return the given value with the MSB copied to all the other | - | ||||||
73 | * bits. They use the fact that arithmetic shift shifts-in the sign bit. | - | ||||||
74 | * However, this is not ensured by the C standard so you may need to replace | - | ||||||
75 | * them with something else on odd CPUs. */ | - | ||||||
76 | #define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1))) | - | ||||||
77 | #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) | - | ||||||
78 | - | |||||||
79 | /* constant_time_lt returns 0xff if a<b and 0x00 otherwise. */ | - | ||||||
80 | static unsigned | - | ||||||
81 | constant_time_lt(unsigned a, unsigned b) | - | ||||||
82 | { | - | ||||||
83 | a -= b; | - | ||||||
84 | return DUPLICATE_MSB_TO_ALL(a); executed 29976 times by 1 test: return ((unsigned)((int)(a) >> (sizeof(int) * 8 - 1))); Executed by:
| 29976 | ||||||
85 | } | - | ||||||
86 | - | |||||||
87 | /* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ | - | ||||||
88 | static unsigned | - | ||||||
89 | constant_time_ge(unsigned a, unsigned b) | - | ||||||
90 | { | - | ||||||
91 | a -= b; | - | ||||||
92 | return DUPLICATE_MSB_TO_ALL(~a); executed 243952 times by 1 test: return ((unsigned)((int)(~a) >> (sizeof(int) * 8 - 1))); Executed by:
| 243952 | ||||||
93 | } | - | ||||||
94 | - | |||||||
95 | /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ | - | ||||||
96 | static unsigned char | - | ||||||
97 | constant_time_eq_8(unsigned a, unsigned b) | - | ||||||
98 | { | - | ||||||
99 | unsigned c = a ^ b; | - | ||||||
100 | c--; | - | ||||||
101 | return DUPLICATE_MSB_TO_ALL_8(c); executed 2576 times by 1 test: return ((unsigned char)(((unsigned)((int)(c) >> (sizeof(int) * 8 - 1))))); Executed by:
| 2576 | ||||||
102 | } | - | ||||||
103 | - | |||||||
104 | /* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC | - | ||||||
105 | * record in |rec| in constant time and returns 1 if the padding is valid and | - | ||||||
106 | * -1 otherwise. It also removes any explicit IV from the start of the record | - | ||||||
107 | * without leaking any timing about whether there was enough space after the | - | ||||||
108 | * padding was removed. | - | ||||||
109 | * | - | ||||||
110 | * block_size: the block size of the cipher used to encrypt the record. | - | ||||||
111 | * returns: | - | ||||||
112 | * 0: (in non-constant time) if the record is publicly invalid. | - | ||||||
113 | * 1: if the padding was valid | - | ||||||
114 | * -1: otherwise. */ | - | ||||||
115 | int | - | ||||||
116 | tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, | - | ||||||
117 | unsigned mac_size) | - | ||||||
118 | { | - | ||||||
119 | unsigned padding_length, good, to_check, i; | - | ||||||
120 | const unsigned overhead = 1 /* padding length byte */ + mac_size; | - | ||||||
121 | - | |||||||
122 | /* Check if version requires explicit IV */ | - | ||||||
123 | if (SSL_USE_EXPLICIT_IV(s)) {
| 76-108 | ||||||
124 | /* These lengths are all public so we can test them in | - | ||||||
125 | * non-constant time. | - | ||||||
126 | */ | - | ||||||
127 | if (overhead + block_size > rec->length)
| 0-76 | ||||||
128 | return 0; never executed: return 0; | 0 | ||||||
129 | /* We can now safely skip explicit IV */ | - | ||||||
130 | rec->data += block_size; | - | ||||||
131 | rec->input += block_size; | - | ||||||
132 | rec->length -= block_size; | - | ||||||
133 | } else if (overhead > rec->length) executed 76 times by 1 test: end of block Executed by:
| 0-108 | ||||||
134 | return 0; never executed: return 0; | 0 | ||||||
135 | - | |||||||
136 | padding_length = rec->data[rec->length - 1]; | - | ||||||
137 | - | |||||||
138 | good = constant_time_ge(rec->length, overhead + padding_length); | - | ||||||
139 | /* The padding consists of a length byte at the end of the record and | - | ||||||
140 | * then that many bytes of padding, all with the same value as the | - | ||||||
141 | * length byte. Thus, with the length byte included, there are i+1 | - | ||||||
142 | * bytes of padding. | - | ||||||
143 | * | - | ||||||
144 | * We can't check just |padding_length+1| bytes because that leaks | - | ||||||
145 | * decrypted information. Therefore we always have to check the maximum | - | ||||||
146 | * amount of padding possible. (Again, the length of the record is | - | ||||||
147 | * public information so we can use it.) */ | - | ||||||
148 | to_check = 255; /* maximum amount of padding. */ | - | ||||||
149 | if (to_check > rec->length - 1)
| 74-110 | ||||||
150 | to_check = rec->length - 1; executed 110 times by 1 test: to_check = rec->length - 1; Executed by:
| 110 | ||||||
151 | - | |||||||
152 | for (i = 0; i < to_check; i++) {
| 184-23816 | ||||||
153 | unsigned char mask = constant_time_ge(padding_length, i); | - | ||||||
154 | unsigned char b = rec->data[rec->length - 1 - i]; | - | ||||||
155 | /* The final |padding_length+1| bytes should all have the value | - | ||||||
156 | * |padding_length|. Therefore the XOR should be zero. */ | - | ||||||
157 | good &= ~(mask&(padding_length ^ b)); | - | ||||||
158 | } executed 23816 times by 1 test: end of block Executed by:
| 23816 | ||||||
159 | - | |||||||
160 | /* If any of the final |padding_length+1| bytes had the wrong value, | - | ||||||
161 | * one or more of the lower eight bits of |good| will be cleared. We | - | ||||||
162 | * AND the bottom 8 bits together and duplicate the result to all the | - | ||||||
163 | * bits. */ | - | ||||||
164 | good &= good >> 4; | - | ||||||
165 | good &= good >> 2; | - | ||||||
166 | good &= good >> 1; | - | ||||||
167 | good <<= sizeof(good)*8 - 1; | - | ||||||
168 | good = DUPLICATE_MSB_TO_ALL(good); | - | ||||||
169 | - | |||||||
170 | padding_length = good & (padding_length + 1); | - | ||||||
171 | rec->length -= padding_length; | - | ||||||
172 | rec->type |= padding_length<<8; /* kludge: pass padding length */ | - | ||||||
173 | - | |||||||
174 | return (int)((good & 1) | (~good & -1)); executed 184 times by 1 test: return (int)((good & 1) | (~good & -1)); Executed by:
| 184 | ||||||
175 | } | - | ||||||
176 | - | |||||||
177 | /* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in | - | ||||||
178 | * constant time (independent of the concrete value of rec->length, which may | - | ||||||
179 | * vary within a 256-byte window). | - | ||||||
180 | * | - | ||||||
181 | * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to | - | ||||||
182 | * this function. | - | ||||||
183 | * | - | ||||||
184 | * On entry: | - | ||||||
185 | * rec->orig_len >= md_size | - | ||||||
186 | * md_size <= EVP_MAX_MD_SIZE | - | ||||||
187 | * | - | ||||||
188 | * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with | - | ||||||
189 | * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into | - | ||||||
190 | * a single or pair of cache-lines, then the variable memory accesses don't | - | ||||||
191 | * actually affect the timing. CPUs with smaller cache-lines [if any] are | - | ||||||
192 | * not multi-core and are not considered vulnerable to cache-timing attacks. | - | ||||||
193 | */ | - | ||||||
194 | #define CBC_MAC_ROTATE_IN_PLACE | - | ||||||
195 | - | |||||||
196 | void | - | ||||||
197 | ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, | - | ||||||
198 | unsigned md_size, unsigned orig_len) | - | ||||||
199 | { | - | ||||||
200 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
201 | unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; | - | ||||||
202 | unsigned char *rotated_mac; | - | ||||||
203 | #else | - | ||||||
204 | unsigned char rotated_mac[EVP_MAX_MD_SIZE]; | - | ||||||
205 | #endif | - | ||||||
206 | - | |||||||
207 | /* mac_end is the index of |rec->data| just after the end of the MAC. */ | - | ||||||
208 | unsigned mac_end = rec->length; | - | ||||||
209 | unsigned mac_start = mac_end - md_size; | - | ||||||
210 | /* scan_start contains the number of bytes that we can ignore because | - | ||||||
211 | * the MAC's position can only vary by 255 bytes. */ | - | ||||||
212 | unsigned scan_start = 0; | - | ||||||
213 | unsigned i, j; | - | ||||||
214 | unsigned div_spoiler; | - | ||||||
215 | unsigned rotate_offset; | - | ||||||
216 | - | |||||||
217 | OPENSSL_assert(orig_len >= md_size); | - | ||||||
218 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); | - | ||||||
219 | - | |||||||
220 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
221 | rotated_mac = rotated_mac_buf + ((0 - (size_t)rotated_mac_buf)&63); | - | ||||||
222 | #endif | - | ||||||
223 | - | |||||||
224 | /* This information is public so it's safe to branch based on it. */ | - | ||||||
225 | if (orig_len > md_size + 255 + 1)
| 74-110 | ||||||
226 | scan_start = orig_len - (md_size + 255 + 1); executed 74 times by 1 test: scan_start = orig_len - (md_size + 255 + 1); Executed by:
| 74 | ||||||
227 | /* div_spoiler contains a multiple of md_size that is used to cause the | - | ||||||
228 | * modulo operation to be constant time. Without this, the time varies | - | ||||||
229 | * based on the amount of padding when running on Intel chips at least. | - | ||||||
230 | * | - | ||||||
231 | * The aim of right-shifting md_size is so that the compiler doesn't | - | ||||||
232 | * figure out that it can remove div_spoiler as that would require it | - | ||||||
233 | * to prove that md_size is always even, which I hope is beyond it. */ | - | ||||||
234 | div_spoiler = md_size >> 1; | - | ||||||
235 | div_spoiler <<= (sizeof(div_spoiler) - 1) * 8; | - | ||||||
236 | rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; | - | ||||||
237 | - | |||||||
238 | memset(rotated_mac, 0, md_size); | - | ||||||
239 | for (i = scan_start, j = 0; i < orig_len; i++) {
| 184-25752 | ||||||
240 | unsigned char mac_started = constant_time_ge(i, mac_start); | - | ||||||
241 | unsigned char mac_ended = constant_time_ge(i, mac_end); | - | ||||||
242 | unsigned char b = rec->data[i]; | - | ||||||
243 | rotated_mac[j++] |= b & mac_started & ~mac_ended; | - | ||||||
244 | j &= constant_time_lt(j, md_size); | - | ||||||
245 | } executed 25752 times by 1 test: end of block Executed by:
| 25752 | ||||||
246 | - | |||||||
247 | /* Now rotate the MAC */ | - | ||||||
248 | #if defined(CBC_MAC_ROTATE_IN_PLACE) | - | ||||||
249 | j = 0; | - | ||||||
250 | for (i = 0; i < md_size; i++) {
| 184-4224 | ||||||
251 | /* in case cache-line is 32 bytes, touch second line */ | - | ||||||
252 | ((volatile unsigned char *)rotated_mac)[rotate_offset^32]; | - | ||||||
253 | out[j++] = rotated_mac[rotate_offset++]; | - | ||||||
254 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
255 | } executed 4224 times by 1 test: end of block Executed by:
| 4224 | ||||||
256 | #else | - | ||||||
257 | memset(out, 0, md_size); | - | ||||||
258 | rotate_offset = md_size - rotate_offset; | - | ||||||
259 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
260 | for (i = 0; i < md_size; i++) { | - | ||||||
261 | for (j = 0; j < md_size; j++) | - | ||||||
262 | out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); | - | ||||||
263 | rotate_offset++; | - | ||||||
264 | rotate_offset &= constant_time_lt(rotate_offset, md_size); | - | ||||||
265 | } | - | ||||||
266 | #endif | - | ||||||
267 | } executed 184 times by 1 test: end of block Executed by:
| 184 | ||||||
268 | - | |||||||
269 | /* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in | - | ||||||
270 | * little-endian order. The value of p is advanced by four. */ | - | ||||||
271 | #define u32toLE(n, p) \ | - | ||||||
272 | (*((p)++)=(unsigned char)(n), \ | - | ||||||
273 | *((p)++)=(unsigned char)(n>>8), \ | - | ||||||
274 | *((p)++)=(unsigned char)(n>>16), \ | - | ||||||
275 | *((p)++)=(unsigned char)(n>>24)) | - | ||||||
276 | - | |||||||
277 | /* These functions serialize the state of a hash and thus perform the standard | - | ||||||
278 | * "final" operation without adding the padding and length that such a function | - | ||||||
279 | * typically does. */ | - | ||||||
280 | static void | - | ||||||
281 | tls1_md5_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
282 | { | - | ||||||
283 | MD5_CTX *md5 = ctx; | - | ||||||
284 | u32toLE(md5->A, md_out); | - | ||||||
285 | u32toLE(md5->B, md_out); | - | ||||||
286 | u32toLE(md5->C, md_out); | - | ||||||
287 | u32toLE(md5->D, md_out); | - | ||||||
288 | } never executed: end of block | 0 | ||||||
289 | - | |||||||
290 | static void | - | ||||||
291 | tls1_sha1_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
292 | { | - | ||||||
293 | SHA_CTX *sha1 = ctx; | - | ||||||
294 | l2n(sha1->h0, md_out); | - | ||||||
295 | l2n(sha1->h1, md_out); | - | ||||||
296 | l2n(sha1->h2, md_out); | - | ||||||
297 | l2n(sha1->h3, md_out); | - | ||||||
298 | l2n(sha1->h4, md_out); | - | ||||||
299 | } executed 1008 times by 1 test: end of block Executed by:
| 1008 | ||||||
300 | - | |||||||
301 | static void | - | ||||||
302 | tls1_sha256_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
303 | { | - | ||||||
304 | SHA256_CTX *sha256 = ctx; | - | ||||||
305 | unsigned i; | - | ||||||
306 | - | |||||||
307 | for (i = 0; i < 8; i++) {
| 252-2016 | ||||||
308 | l2n(sha256->h[i], md_out); | - | ||||||
309 | } executed 2016 times by 1 test: end of block Executed by:
| 2016 | ||||||
310 | } executed 252 times by 1 test: end of block Executed by:
| 252 | ||||||
311 | - | |||||||
312 | static void | - | ||||||
313 | tls1_sha512_final_raw(void* ctx, unsigned char *md_out) | - | ||||||
314 | { | - | ||||||
315 | SHA512_CTX *sha512 = ctx; | - | ||||||
316 | unsigned i; | - | ||||||
317 | - | |||||||
318 | for (i = 0; i < 8; i++) {
| 28-224 | ||||||
319 | l2n8(sha512->h[i], md_out); | - | ||||||
320 | } executed 224 times by 1 test: end of block Executed by:
| 224 | ||||||
321 | } executed 28 times by 1 test: end of block Executed by:
| 28 | ||||||
322 | - | |||||||
323 | /* Largest hash context ever used by the functions above. */ | - | ||||||
324 | #define LARGEST_DIGEST_CTX SHA512_CTX | - | ||||||
325 | - | |||||||
326 | /* Type giving the alignment needed by the above */ | - | ||||||
327 | #define LARGEST_DIGEST_CTX_ALIGNMENT SHA_LONG64 | - | ||||||
328 | - | |||||||
329 | /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function | - | ||||||
330 | * which ssl3_cbc_digest_record supports. */ | - | ||||||
331 | char | - | ||||||
332 | ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) | - | ||||||
333 | { | - | ||||||
334 | switch (EVP_MD_CTX_type(ctx)) { | - | ||||||
335 | case NID_md5: never executed: case 4: | 0 | ||||||
336 | case NID_sha1: executed 144 times by 1 test: case 64: Executed by:
| 144 | ||||||
337 | case NID_sha224: never executed: case 675: | 0 | ||||||
338 | case NID_sha256: executed 36 times by 1 test: case 672: Executed by:
| 36 | ||||||
339 | case NID_sha384: executed 4 times by 1 test: case 673: Executed by:
| 4 | ||||||
340 | case NID_sha512: never executed: case 674: | 0 | ||||||
341 | return 1; executed 184 times by 1 test: return 1; Executed by:
| 184 | ||||||
342 | default: never executed: default: | 0 | ||||||
343 | return 0; never executed: return 0; | 0 | ||||||
344 | } | - | ||||||
345 | } | - | ||||||
346 | - | |||||||
347 | /* ssl3_cbc_digest_record computes the MAC of a decrypted, padded TLS | - | ||||||
348 | * record. | - | ||||||
349 | * | - | ||||||
350 | * ctx: the EVP_MD_CTX from which we take the hash function. | - | ||||||
351 | * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. | - | ||||||
352 | * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. | - | ||||||
353 | * md_out_size: if non-NULL, the number of output bytes is written here. | - | ||||||
354 | * header: the 13-byte, TLS record header. | - | ||||||
355 | * data: the record data itself, less any preceeding explicit IV. | - | ||||||
356 | * data_plus_mac_size: the secret, reported length of the data and MAC | - | ||||||
357 | * once the padding has been removed. | - | ||||||
358 | * data_plus_mac_plus_padding_size: the public length of the whole | - | ||||||
359 | * record, including padding. | - | ||||||
360 | * | - | ||||||
361 | * On entry: by virtue of having been through one of the remove_padding | - | ||||||
362 | * functions, above, we know that data_plus_mac_size is large enough to contain | - | ||||||
363 | * a padding byte and MAC. (If the padding was invalid, it might contain the | - | ||||||
364 | * padding too. ) | - | ||||||
365 | */ | - | ||||||
366 | int | - | ||||||
367 | ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, | - | ||||||
368 | size_t* md_out_size, const unsigned char header[13], | - | ||||||
369 | const unsigned char *data, size_t data_plus_mac_size, | - | ||||||
370 | size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, | - | ||||||
371 | unsigned mac_secret_length) | - | ||||||
372 | { | - | ||||||
373 | union { | - | ||||||
374 | /* | - | ||||||
375 | * Alignment here is to allow this to be cast as SHA512_CTX | - | ||||||
376 | * without losing alignment required by the 64-bit SHA_LONG64 | - | ||||||
377 | * integer it contains. | - | ||||||
378 | */ | - | ||||||
379 | LARGEST_DIGEST_CTX_ALIGNMENT align; | - | ||||||
380 | unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; | - | ||||||
381 | } md_state; | - | ||||||
382 | void (*md_final_raw)(void *ctx, unsigned char *md_out); | - | ||||||
383 | void (*md_transform)(void *ctx, const unsigned char *block); | - | ||||||
384 | unsigned md_size, md_block_size = 64; | - | ||||||
385 | unsigned header_length, variance_blocks, | - | ||||||
386 | len, max_mac_bytes, num_blocks, | - | ||||||
387 | num_starting_blocks, k, mac_end_offset, c, index_a, index_b; | - | ||||||
388 | unsigned int bits; /* at most 18 bits */ | - | ||||||
389 | unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; | - | ||||||
390 | /* hmac_pad is the masked HMAC key. */ | - | ||||||
391 | unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; | - | ||||||
392 | unsigned char first_block[MAX_HASH_BLOCK_SIZE]; | - | ||||||
393 | unsigned char mac_out[EVP_MAX_MD_SIZE]; | - | ||||||
394 | unsigned i, j, md_out_size_u; | - | ||||||
395 | EVP_MD_CTX md_ctx; | - | ||||||
396 | /* mdLengthSize is the number of bytes in the length field that terminates | - | ||||||
397 | * the hash. */ | - | ||||||
398 | unsigned md_length_size = 8; | - | ||||||
399 | char length_is_big_endian = 1; | - | ||||||
400 | - | |||||||
401 | /* This is a, hopefully redundant, check that allows us to forget about | - | ||||||
402 | * many possible overflows later in this function. */ | - | ||||||
403 | OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); | - | ||||||
404 | - | |||||||
405 | switch (EVP_MD_CTX_type(ctx)) { | - | ||||||
406 | case NID_md5: never executed: case 4: | 0 | ||||||
407 | MD5_Init((MD5_CTX*)md_state.c); | - | ||||||
408 | md_final_raw = tls1_md5_final_raw; | - | ||||||
409 | md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; | - | ||||||
410 | md_size = 16; | - | ||||||
411 | length_is_big_endian = 0; | - | ||||||
412 | break; never executed: break; | 0 | ||||||
413 | case NID_sha1: executed 144 times by 1 test: case 64: Executed by:
| 144 | ||||||
414 | SHA1_Init((SHA_CTX*)md_state.c); | - | ||||||
415 | md_final_raw = tls1_sha1_final_raw; | - | ||||||
416 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; | - | ||||||
417 | md_size = 20; | - | ||||||
418 | break; executed 144 times by 1 test: break; Executed by:
| 144 | ||||||
419 | case NID_sha224: never executed: case 675: | 0 | ||||||
420 | SHA224_Init((SHA256_CTX*)md_state.c); | - | ||||||
421 | md_final_raw = tls1_sha256_final_raw; | - | ||||||
422 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; | - | ||||||
423 | md_size = 224/8; | - | ||||||
424 | break; never executed: break; | 0 | ||||||
425 | case NID_sha256: executed 36 times by 1 test: case 672: Executed by:
| 36 | ||||||
426 | SHA256_Init((SHA256_CTX*)md_state.c); | - | ||||||
427 | md_final_raw = tls1_sha256_final_raw; | - | ||||||
428 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; | - | ||||||
429 | md_size = 32; | - | ||||||
430 | break; executed 36 times by 1 test: break; Executed by:
| 36 | ||||||
431 | case NID_sha384: executed 4 times by 1 test: case 673: Executed by:
| 4 | ||||||
432 | SHA384_Init((SHA512_CTX*)md_state.c); | - | ||||||
433 | md_final_raw = tls1_sha512_final_raw; | - | ||||||
434 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; | - | ||||||
435 | md_size = 384/8; | - | ||||||
436 | md_block_size = 128; | - | ||||||
437 | md_length_size = 16; | - | ||||||
438 | break; executed 4 times by 1 test: break; Executed by:
| 4 | ||||||
439 | case NID_sha512: never executed: case 674: | 0 | ||||||
440 | SHA512_Init((SHA512_CTX*)md_state.c); | - | ||||||
441 | md_final_raw = tls1_sha512_final_raw; | - | ||||||
442 | md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; | - | ||||||
443 | md_size = 64; | - | ||||||
444 | md_block_size = 128; | - | ||||||
445 | md_length_size = 16; | - | ||||||
446 | break; never executed: break; | 0 | ||||||
447 | default: never executed: default: | 0 | ||||||
448 | /* ssl3_cbc_record_digest_supported should have been | - | ||||||
449 | * called first to check that the hash function is | - | ||||||
450 | * supported. */ | - | ||||||
451 | OPENSSL_assert(0); | - | ||||||
452 | if (md_out_size)
| 0 | ||||||
453 | *md_out_size = 0; never executed: *md_out_size = 0; | 0 | ||||||
454 | return 0; never executed: return 0; | 0 | ||||||
455 | } | - | ||||||
456 | - | |||||||
457 | OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); | - | ||||||
458 | OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); | - | ||||||
459 | OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); | - | ||||||
460 | - | |||||||
461 | header_length = 13; | - | ||||||
462 | - | |||||||
463 | /* variance_blocks is the number of blocks of the hash that we have to | - | ||||||
464 | * calculate in constant time because they could be altered by the | - | ||||||
465 | * padding value. | - | ||||||
466 | * | - | ||||||
467 | * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not | - | ||||||
468 | * required to be minimal. Therefore we say that the final six blocks | - | ||||||
469 | * can vary based on the padding. | - | ||||||
470 | * | - | ||||||
471 | * Later in the function, if the message is short and there obviously | - | ||||||
472 | * cannot be this many blocks then variance_blocks can be reduced. */ | - | ||||||
473 | variance_blocks = 6; | - | ||||||
474 | /* From now on we're dealing with the MAC, which conceptually has 13 | - | ||||||
475 | * bytes of `header' before the start of the data (TLS) */ | - | ||||||
476 | len = data_plus_mac_plus_padding_size + header_length; | - | ||||||
477 | /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including | - | ||||||
478 | * |header|, assuming that there's no padding. */ | - | ||||||
479 | max_mac_bytes = len - md_size - 1; | - | ||||||
480 | /* num_blocks is the maximum number of hash blocks. */ | - | ||||||
481 | num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; | - | ||||||
482 | /* In order to calculate the MAC in constant time we have to handle | - | ||||||
483 | * the final blocks specially because the padding value could cause the | - | ||||||
484 | * end to appear somewhere in the final |variance_blocks| blocks and we | - | ||||||
485 | * can't leak where. However, |num_starting_blocks| worth of data can | - | ||||||
486 | * be hashed right away because no padding value can affect whether | - | ||||||
487 | * they are plaintext. */ | - | ||||||
488 | num_starting_blocks = 0; | - | ||||||
489 | /* k is the starting byte offset into the conceptual header||data where | - | ||||||
490 | * we start processing. */ | - | ||||||
491 | k = 0; | - | ||||||
492 | /* mac_end_offset is the index just past the end of the data to be | - | ||||||
493 | * MACed. */ | - | ||||||
494 | mac_end_offset = data_plus_mac_size + header_length - md_size; | - | ||||||
495 | /* c is the index of the 0x80 byte in the final hash block that | - | ||||||
496 | * contains application data. */ | - | ||||||
497 | c = mac_end_offset % md_block_size; | - | ||||||
498 | /* index_a is the hash block number that contains the 0x80 terminating | - | ||||||
499 | * value. */ | - | ||||||
500 | index_a = mac_end_offset / md_block_size; | - | ||||||
501 | /* index_b is the hash block number that contains the 64-bit hash | - | ||||||
502 | * length, in bits. */ | - | ||||||
503 | index_b = (mac_end_offset + md_length_size) / md_block_size; | - | ||||||
504 | /* bits is the hash-length in bits. It includes the additional hash | - | ||||||
505 | * block for the masked HMAC key. */ | - | ||||||
506 | - | |||||||
507 | if (num_blocks > variance_blocks) {
| 0-184 | ||||||
508 | num_starting_blocks = num_blocks - variance_blocks; | - | ||||||
509 | k = md_block_size*num_starting_blocks; | - | ||||||
510 | } never executed: end of block | 0 | ||||||
511 | - | |||||||
512 | bits = 8*mac_end_offset; | - | ||||||
513 | /* Compute the initial HMAC block. */ | - | ||||||
514 | bits += 8*md_block_size; | - | ||||||
515 | memset(hmac_pad, 0, md_block_size); | - | ||||||
516 | OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); | - | ||||||
517 | memcpy(hmac_pad, mac_secret, mac_secret_length); | - | ||||||
518 | for (i = 0; i < md_block_size; i++)
| 184-12032 | ||||||
519 | hmac_pad[i] ^= 0x36; executed 12032 times by 1 test: hmac_pad[i] ^= 0x36; Executed by:
| 12032 | ||||||
520 | - | |||||||
521 | md_transform(md_state.c, hmac_pad); | - | ||||||
522 | - | |||||||
523 | if (length_is_big_endian) {
| 0-184 | ||||||
524 | memset(length_bytes, 0, md_length_size - 4); | - | ||||||
525 | length_bytes[md_length_size - 4] = (unsigned char)(bits >> 24); | - | ||||||
526 | length_bytes[md_length_size - 3] = (unsigned char)(bits >> 16); | - | ||||||
527 | length_bytes[md_length_size - 2] = (unsigned char)(bits >> 8); | - | ||||||
528 | length_bytes[md_length_size - 1] = (unsigned char)bits; | - | ||||||
529 | } else { executed 184 times by 1 test: end of block Executed by:
| 184 | ||||||
530 | memset(length_bytes, 0, md_length_size); | - | ||||||
531 | length_bytes[md_length_size - 5] = (unsigned char)(bits >> 24); | - | ||||||
532 | length_bytes[md_length_size - 6] = (unsigned char)(bits >> 16); | - | ||||||
533 | length_bytes[md_length_size - 7] = (unsigned char)(bits >> 8); | - | ||||||
534 | length_bytes[md_length_size - 8] = (unsigned char)bits; | - | ||||||
535 | } never executed: end of block | 0 | ||||||
536 | - | |||||||
537 | if (k > 0) {
| 0-184 | ||||||
538 | /* k is a multiple of md_block_size. */ | - | ||||||
539 | memcpy(first_block, header, 13); | - | ||||||
540 | memcpy(first_block + 13, data, md_block_size - 13); | - | ||||||
541 | md_transform(md_state.c, first_block); | - | ||||||
542 | for (i = 1; i < k/md_block_size; i++)
| 0 | ||||||
543 | md_transform(md_state.c, data + md_block_size*i - 13); never executed: md_transform(md_state.c, data + md_block_size*i - 13); | 0 | ||||||
544 | } never executed: end of block | 0 | ||||||
545 | - | |||||||
546 | memset(mac_out, 0, sizeof(mac_out)); | - | ||||||
547 | - | |||||||
548 | /* We now process the final hash blocks. For each block, we construct | - | ||||||
549 | * it in constant time. If the |i==index_a| then we'll include the 0x80 | - | ||||||
550 | * bytes and zero pad etc. For each block we selectively copy it, in | - | ||||||
551 | * constant time, to |mac_out|. */ | - | ||||||
552 | for (i = num_starting_blocks; i <= num_starting_blocks + variance_blocks; i++) {
| 184-1288 | ||||||
553 | unsigned char block[MAX_HASH_BLOCK_SIZE]; | - | ||||||
554 | unsigned char is_block_a = constant_time_eq_8(i, index_a); | - | ||||||
555 | unsigned char is_block_b = constant_time_eq_8(i, index_b); | - | ||||||
556 | for (j = 0; j < md_block_size; j++) {
| 1288-84224 | ||||||
557 | unsigned char b = 0, is_past_c, is_past_cp1; | - | ||||||
558 | if (k < header_length)
| 2392-81832 | ||||||
559 | b = header[k]; executed 2392 times by 1 test: b = header[k]; Executed by:
| 2392 | ||||||
560 | else if (k < data_plus_mac_plus_padding_size + header_length)
| 26704-55128 | ||||||
561 | b = data[k - header_length]; executed 26704 times by 1 test: b = data[k - header_length]; Executed by:
| 26704 | ||||||
562 | k++; | - | ||||||
563 | - | |||||||
564 | is_past_c = is_block_a & constant_time_ge(j, c); | - | ||||||
565 | is_past_cp1 = is_block_a & constant_time_ge(j, c + 1); | - | ||||||
566 | /* If this is the block containing the end of the | - | ||||||
567 | * application data, and we are at the offset for the | - | ||||||
568 | * 0x80 value, then overwrite b with 0x80. */ | - | ||||||
569 | b = (b&~is_past_c) | (0x80&is_past_c); | - | ||||||
570 | /* If this is the block containing the end of the | - | ||||||
571 | * application data and we're past the 0x80 value then | - | ||||||
572 | * just write zero. */ | - | ||||||
573 | b = b&~is_past_cp1; | - | ||||||
574 | /* If this is index_b (the final block), but not | - | ||||||
575 | * index_a (the end of the data), then the 64-bit | - | ||||||
576 | * length didn't fit into index_a and we're having to | - | ||||||
577 | * add an extra block of zeros. */ | - | ||||||
578 | b &= ~is_block_b | is_block_a; | - | ||||||
579 | - | |||||||
580 | /* The final bytes of one of the blocks contains the | - | ||||||
581 | * length. */ | - | ||||||
582 | if (j >= md_block_size - md_length_size) {
| 10528-73696 | ||||||
583 | /* If this is index_b, write a length byte. */ | - | ||||||
584 | b = (b&~is_block_b) | (is_block_b&length_bytes[j - (md_block_size - md_length_size)]); | - | ||||||
585 | } executed 10528 times by 1 test: end of block Executed by:
| 10528 | ||||||
586 | block[j] = b; | - | ||||||
587 | } executed 84224 times by 1 test: end of block Executed by:
| 84224 | ||||||
588 | - | |||||||
589 | md_transform(md_state.c, block); | - | ||||||
590 | md_final_raw(md_state.c, block); | - | ||||||
591 | /* If this is index_b, copy the hash value to |mac_out|. */ | - | ||||||
592 | for (j = 0; j < md_size; j++)
| 1288-29568 | ||||||
593 | mac_out[j] |= block[j]&is_block_b; executed 29568 times by 1 test: mac_out[j] |= block[j]&is_block_b; Executed by:
| 29568 | ||||||
594 | } executed 1288 times by 1 test: end of block Executed by:
| 1288 | ||||||
595 | - | |||||||
596 | EVP_MD_CTX_init(&md_ctx); | - | ||||||
597 | if (!EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */)) {
| 0-184 | ||||||
598 | EVP_MD_CTX_cleanup(&md_ctx); | - | ||||||
599 | return 0; never executed: return 0; | 0 | ||||||
600 | } | - | ||||||
601 | - | |||||||
602 | /* Complete the HMAC in the standard manner. */ | - | ||||||
603 | for (i = 0; i < md_block_size; i++)
| 184-12032 | ||||||
604 | hmac_pad[i] ^= 0x6a; executed 12032 times by 1 test: hmac_pad[i] ^= 0x6a; Executed by:
| 12032 | ||||||
605 | - | |||||||
606 | EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); | - | ||||||
607 | EVP_DigestUpdate(&md_ctx, mac_out, md_size); | - | ||||||
608 | - | |||||||
609 | EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); | - | ||||||
610 | if (md_out_size)
| 0-184 | ||||||
611 | *md_out_size = md_out_size_u; executed 184 times by 1 test: *md_out_size = md_out_size_u; Executed by:
| 184 | ||||||
612 | EVP_MD_CTX_cleanup(&md_ctx); | - | ||||||
613 | - | |||||||
614 | return 1; executed 184 times by 1 test: return 1; Executed by:
| 184 | ||||||
615 | } | - | ||||||
Source code | Switch to Preprocessed file |